The Samba-Bugzilla – Bug 6088
Implement "domain controller = no" when using an LDAP backend
Last modified: 2009-02-19 15:59:30 UTC
I would like an extra option in smb.conf for in the event that an LDAP backend is being used but you dont want that particular samba server to be a Domain Controller, just a file server.
I hope diagram explains the scenario.
I have achieved this in a round about way. on the file server i disabled nmbd and on our WINS server i put an entry in for the file server as an ordinary file server not a DC.
why not use security=domain, doesn't that do exactly what you want?
As far as i remember no it didnt, That requires a net join and the SID mapping would be done via winbind communicating to the domain controller? That causes problems because i need the uid/gid to be consistent, for that i'm using nssldap.
you need no winbind, you can keep using ldapsam as passdb backend which pulls the SIDs out of LDAP. If you have problems setting up that, you should better discuss that on the samba mailing list. I'm closing this bug as there is obviously no defect and no missing feature in samba here ;-)
I discussed this on the mailing list before raising the bug and nobody could give me a solution that worked.
So getting back to this.
with this config:
workgroup = CS
netbios name = WESTMEATH
security = domain
server string = Storage Server
encrypt passwords = Yes
ldap passwd sync = yes
interfaces = eth1 147.x.x.x/16
bind interfaces only = yes
password server = kerry
log level = 3
syslog = 0
log file = /var/log/samba/log.%m
mangling method = hash2
domain logons = yes
domain master = No
preferred master = no
wins server = xxx.xxx.xxx.xxx xxx.xxx.xxx,xxx
passdb backend = ldapsam:ldaps://147.xxx.xxx.xxx
ldap admin dn = cn=admin,dc=cs,dc=dit,dc=ie
ldap suffix = dc=cs,dc=dit,dc=ie
ldap group suffix = ou=group
ldap user suffix = ou=user
ldap machine suffix = ou=machine
load printers = no
create mask = 0640
directory mask = 0750
nt acl support = yes
printing = none
ldapsam:trusted = yes
guest account = nobody
map to guest = Bad User
dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
comment = Techshare
path = /home/tech
read only = No
profile acls = yes
store dos attributes = Yes
create mask = 0600
directory mask = 0700
browseable = no
guest ok = no
printable = no
valid users= @tech
hide files = /desktop.ini/outlook*.lnk/*Briefcase*/
According to what you said samba should not advertise itself as a domain controller, but it still does.
I've tried every combination of settings i can think of but i still cannot get the outcome i want.
you tell em to by setting domain logons = yes ...
With domain controller = no.
Westmeath:~# net user -I Westmeath
Enter root's password:
Could not connect to server 147.xx.xx.xx
Connection failed: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
And it creates it only sambaDomain object in LDAP
Which is completely wrong.
it should be using sambaDomainName=CS,dc=cs,dc=dit,dc=ie
sorry that should be
And it creates it _own_ sambaDomain object in LDAP
domain logons = no
I should really proof read my comments!